What You Need to Know About GDPR

As a U.S.-based small business owner, getting ready to comply with the General Data Protection Regulation (GDPR) regulation may not be at the top of your to-do list. Small business owners may think that the GDPR only applies to large, global companies that conduct business overseas, not for companies with fewer than 250 employees.

GDPR is one of the largest and most far-reaching global data privacy laws—and all businesses need to be GDPR-compliant with processes and documents in place. This new data protection law goes into force May 25, 2018 and will apply to all companies handling the consumer data of citizens within the European Union (EU), no matter the size, industry or country of origin of the business.

This compliance can seem especially overwhelming for small-business owners with less than robust resources. What should small-business owners know about the GDPR, and why does it matter?

Disclaimer: I’m not a lawyer, none of the following can be considered to be legal advice. PLEASE contact your attorney to ask if the GDPR law applies to your company. You may need to update your Privacy & Terms of Use Policies.

What is the GDPR privacy law?

Previously, each of the EU countries has had their own privacy laws and it’s been a complete mess. The goal of the new GDPR (or General Data Protection Regulation) has been to unify the laws and provide EU citizens better control over their personal data online.

The GDPR provisions specify that:

Anyone involved in processing EU consumer data, including third-party entities involved in data processing, can be found liable for a breach.
When an individual no longer wants a company to process their data, the data must be deleted.
For companies collecting customer data or processing sensitive data on a large scale, they must appoint a data protection officer.
Companies and organizations must notify national authorities of serious data breaches within 72 hours of detecting a breach.
For children under a certain age using social media, parental consent is required.
Individuals have a right to data portability to enable them to transfer their data easily between services.

My website is outside of the European Union, does this really matter?

The new law is specific in that it applies to any website that gets information about an EU citizen. So if your website could be visited by an EU citizen (remember, plenty of people have dual citizenship, which means they not live in the EU or access your website from an EU IP address), then it applies.

As far as the legal reach goes, if your country has friendly ties to a country in the EU, then yes, the new rules probably have the power of enforcement.

As far as how likely the new law is to directly affect you, that depends.

If you have a small website with very few or no official customers in the EU, then the GDPR enforcement team is probably only going to bother you if they get a complaint against you. This is very similar to ADA accessibility, small websites will only be visited about this if there are complaints.

On the other hand, if you have a large website with a lot of customers in the EU, then you need to take this GDPR law very seriously.

Regardless of whether you are likely to be affected, there are still some measures you should take.

Are you ready for GPDR?

Understand the types of personal data your business is handling before making any decisions. What are you collecting—names, email addresses, banking details—and is that information considered sensitive, such as a person’s health history? Learn about your data sources, where and how long it is stored, and how it is used.

Develop a consent policy to process personal data and acquire consent from customers. Under the GDPR, consent needs to be explicit, clear and specific, which can make some activities such as marketing more challenging. If your company website does not already have one, develop and display your privacy policy which should explain the legal basis for processing personal data.

Review and update your security measures and policies and make them GDPR-compliant. If your business does not have a data protection policy, develop one that uses GDPR-compliant practices. Using encryption is recommended and can help your business avoid hefty fines in the event of a data breach.

Prepare for data access requests and fair processing notices. The GDPR stipulates customers have the right to access their data, correct inaccurate data, object to their data being processed, or even completely erase their data that you hold. Such requests must be processed and completed within the required time frame. You also must use fair processing notices to describe to customers what you are doing with their data. Describe how and why your company will hold their data, who has access to it, and how long your company will keep the data.

Make your consent process clear, specific and transparent. Your customers should be able to choose to be on your mailing list, as well as control over how you use their data. According to the GDPR, consent must be in the form of a request separate from other terms and conditions. It must also require a positive opt-in in which users must check “yes.” Opting for a mailing list does not give the small-business owner the ability to use a customer’s data for something else unless this is outlined. Individuals should also know how to withdraw from your database at any time.

Finally, data consent should constantly be reviewed. Schedule regular checks with your subscribers to ensure individuals wish to remain on your mailing list and document any changes to their consent.

Bottom line: Consult with an attorney to understand the data privacy regulations and how they might impact your business. Assess processes already have in place and find out how to bolster your security practices. Get an expert if necessary.

What’s the possible penalty for not obeying the GDPR?

Basically, if you don’t follow the new law and you get caught and you’re in a country with friendly ties to the EU, you could be in legal & financial trouble.

The basic structure if you violate the GDPR looks like this:

First, you’re given a warning and a limited amount of time to get in line with the law.
Second, you’re given a reprimand.
Third, depending on your jurisdiction, you may have to suspend processing of data about EU citizens. This one will depend on your country and exactly what agreements your country has with the EU.
Fourth, fines. Up to 4% of your global annual turnover, or up to €20 million.

Generally, these types of laws have pretty predictable enforcement. Typically, they go after large websites that process a lot of personal data and websites that get complaints lodged against them. Even if you are a small little website, if people lodge complaints against you, the authorities will come knocking.

Key points of the new GDPR law

Use plain language

The new GDPR explicitly says that you must use plain language, not a giant pile of legalese. You must tell data subjects who you are when you request the data. You must also say why you are processing their data, how long it will be stored and who receives it.

Consent must be explicitly given

In the past, simply having a privacy policy and a link to it on every page was enough. It was implicit that if someone was on your site they were agreeing to your policy.

Now, if you are collecting NON-personally identifiable information (say aggregate info for overall analytics) then you are fine with implicit consent. However, if you are going to collect personally identifiable information (name, email, phone, etc), then you must have explicit consent.

Explicit consent means that a checkbox for “I accept the terms” must be UNchecked by default and the visitor to your website must voluntarily click that box. You must also make it clear when people voluntarily submit data what that will be used for. They don’t expect your entire privacy policy to be in your contact form. However, within your form should be the link to the privacy policy and some text stating that by submitting the form you are agreeing to the policy.

Notification of data breaches

You must notify data subjects of a data breach within 72 hours of you becoming aware of it. Data processors must notify data controllers of a breach “without undue delay”.

Some examples of data breaches:

You hired someone in India to do work on your website. Your website logged your contact forms, and therefore this person in a non-GDPR compliant country had access.
You gave your mailing list to a new marketing company to do marketing on your behalf. Your privacy policy had not previously stated that you would do this such action, so since this is a change in how personal data is handled, you must notify data subjects.
Your website was hacked.

Since you are required to notify about data breaches, that actually creates a legal obligation to have security monitoring on your website.

Right to access their data

Upon request, and at no charge, you must provide a data subject a copy of the personal data you have stored about them. You must also provide them with what data is processed, where that data is processed, by whom, and for what purpose.

The basic steps for data access are:

Verify they are who they say they are (otherwise you would be committing a data breach)
Make sure you have their data, if you don’t, just tell them you don’t have data on them
Don’t create extra data while processing their request
Record the request in an audit log
Do it within 20 days

Right to be forgotten

Basically, people have the right to leave your website and have you not store personally identifiable information about them. Provided, of course, that doesn’t violate any other laws.

Upon request, a data subject (aka EU citizen) can request that you delete the data you have collected about them. For example, if someone created an account with MailChimp and then decided to leave MailChimp. They have the right to ask Mailchimp to delete all data.

However, this is limited by other laws. For example, if you had paid Mailchimp for services, then Mailchimp is required by tax laws to maintain certain records. So in this case, Mailchimp would need to delete the data NOT related to tax purposes.

Right to take your data elsewhere

Basically, this is very similar to the right to access but extends it a little bit by saying that the data must be in a commonly used and machine-readable format.

So, taking a photo of some scribbled notes is not ok.

Most companies won’t have to deal much with this, but companies like MailChimp do. Since they have a lot of data, they provide an easy export to a CSV file.

Privacy by Design

Basically, only ask for data you actually need. If you don’t need the data, don’t ask for it, and then you can’t possibly do anything bad with data you don’t have.

Here’s an example:

You are a doctor’s office. You have quite detailed patient data because that’s needed to provide medical service. You want to share some data with a marketing company who will be doing some mailed flyers for you. This marketing company will need people’s names and addresses to send the flyers.

The marketing company also asks for demographic information for designing the flyer. You would need to give the marketing company only the info they need (name & address) and then aggregate info about your customers (both male & female, ages 18+). You couldn’t send them a big spreadsheet outlining people’s names, address, gender, and exact age.

Data protection officers may be required

If you process a lot of personal data then you’ll have to appoint a specific person to be in charge of the auditing and tracking of personal data and how you handle it. This person needs to report to the top tier of the company and will require specific training and certification. This person also needs to be an EU citizen.

A DPO, or data protection officer, only needs to appointed if you are a public authority or you engage in large-scale monitoring or processing. For example, ancestry.com has very personal information about a lot of people so they will need a DPO. My mom’s blog is small and doesn’t process a whole bunch of data, so she has no need for a DPO.

Steps to take NOW

Update your Privacy Policies

Website privacy policies, we generally set one up and then forget it. If you don’t have one, then now is the time to get one. If you already have one, now is the time to give it a good reading and make sure it’s up to date to reflect your current data practices and uses.

Remove any automatic opt-ins

If any of your forms have an automatically checked “I accept” box, you must make this box UNchecked.

Do a check on your stored information

Do a review of the information on your computers and paper documents.

Did a customer leave you years ago and you still have data about them that you don’t need? If so, delete it. If you need to keep some info for tax or other legal purposes, keep only the data you need.

Figure out what 3rd party services you actually have and if they are compliant

Take an inventory of your third-party services. Make sure that these services either are compliant or have a reasonable plan to become compliant. Some common ones (and most of the large companies have already updated their privacy policies to be GDPR compliant):

Email newsletters
Analytics (Google last week rolled out it’s new policies to be GDPR compliant)
Email contact forms
Web hosting companies (yes, Bracewell Web Works hosting is GDPR compliant)
Email providers
File hosting (like Dropbox, Google Docs, etc)
Payment processors
Accounting software
Time tracking software
Project management software
Chat, calling, video etc software
CRMs

Figure out what 3rd party providers you have and if they are compliant

Contact your current and past providers and make sure they don’t have any information they don’t need. Also, make sure they have very strict outsourcing/subcontracting policies.

Remember, data should only be transmitted to countries on the approved list! That includes both subcontracting and if they plan to travel. Remember, data isn’t supposed to go to non-approved countries. So don’t access personal data while you travel.

SEO companies (most contract out work)
Marketing companies (most contract out work)
Web developers (some contract out work – Bracewell Web Works does not)
Designers (some contract out work – Bracewell Web Works does not)
Anyone else who has access to your website (remember: if someone has access to your computer, and you’re logged in to your website, they can access the data, this may include your babysitter)

Collect only the information you actually need

You can’t mishandle data you don’t have. So if you don’t need it, delete it. Also, update your forms to make sure you only collect what you need.

Have a plan in place in the event of a data breach

Hope for the best, prepare for the worst. It’s a good motto.

Also, it’s a great time to get your website secured and monitored. We’re in the US and have a policy to not outsource any work outside the US, and have very reasonably priced website security packages and website maintenance packages which include daily security checks of your website.

Have a plan in place for someone requesting their data/deletion of their data/transfer of their data

Now that you’ve gone through your data, you should have a pretty good idea of what data you have. Just make a plan for how to verify someone if they ask for their data and then send that data to them.

If you are using a mailing list service like MailChimp, check out that service’s info on how to make it easy for people to access & delete themselves.

Update your contracts & NDAs

Review your contracts to make sure they fall in line with the GDPR, also make sure that you have clear and specific policies on outsourcing any work. For example, pretty much anyone with a business has a CPA and an assistant.

What is the GDPR privacy law?

My website is outside of the European Union, does this really matter?

Are you ready for GPDR?